cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26174
Views
5
Helpful
17
Replies

Using own certificate on ASA for SSLVPN

tholmes
Level 1
Level 1

Hello,

I've searched the forum for a definative answer to this question but I'm afraid I can't find one, can someone plase help

I've a customer's ASA to which I've set up Client SSLVPN and Clientless SSLVPN.

The customer has his own certificate which he'd like to use to stop that annoying 'problem with websites security certificate' message.

The problem is that his certificate wasn't issued as a result of the ASA's CSR

Is it possible to do this and if so how please.

I told him the ASA needs to generate a CSR which is then sent to Versign (for example) who then send back a cert to add to the ASA.

But he's seen the link below...

http://http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704

I think this relates to Java and I'm not sure what step 1. is refering to:

Step 1. Export the certificate with PKCS12 file (with a private key) ????

Any help would be greatly appreciated

Regards Tony

2 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that link is exactly what you are after.

Since the CSR is not generated from the ASA, you would need to export the certificate that includes the private keys so the ASA will have a copy of those private keys. The certificate that you are going to export to the ASA needs to be in PKCS12 format and you can convert a PFX format certificate (this typically includes the private keys) to PKCS12 using OpenSSL as stated in the documentation.

Hope that answers your question.

View solution in original post

Most Certificate vendors have an option to rekey the cert at no additional cost if the cert is to the same FQDN. So your customer most likely wont have to buy another one but rekey the same one by giving them a new CSR.

View solution in original post

17 Replies 17

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, that link is exactly what you are after.

Since the CSR is not generated from the ASA, you would need to export the certificate that includes the private keys so the ASA will have a copy of those private keys. The certificate that you are going to export to the ASA needs to be in PKCS12 format and you can convert a PFX format certificate (this typically includes the private keys) to PKCS12 using OpenSSL as stated in the documentation.

Hope that answers your question.

Hi Jennifer,

Thanks for the prompt response and the answer, it looks like I'll need to do some back tracking with the customer!

Cheers Tony

Hi Jennifer,

I hope you can help me as I'm going around in circles with this certificate thing.

The customer has sent me 2 files

gd_iis_intermediates.p7b

and

X_web.p12

I've converted the X_web.p12 into a PEM extension, and when I look at this in a text file, I can see 2 certs, an RSA certificate starting

---BEGIN RSA PRIVATE KEY--- and another certificate starting  ---BEGIN CERTIFICATE---.

The web page  http://http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704 step 3. advises to use command line to enter the certificate but which of these 2 shown in the PEM file should I use?

Right now I only have ASDM access

I can VPN into the ASA and access the ASDM, but when I attempt to import the cert this way using paste, the paste function fails to work, right click to paste does NOT work, I can't manually enter the code as its huge!

I tried t browse for the files and it finds the 2 mentioned above but it does seem to like the format and brings up an error message, opening the cert files just seems to add them to my laptop

Any help appreciated

Regards Tony

Message was edited by: tholmes@cistek-sol.com Sorry

Hi,

You just need to import the .p12 file directly into a new trustpoint as it is on the ASDM in the identity certificate section. Only if you need to import via cli you would need to convert it to base64.

From what you have I believe the identity cert and rsa keys are in the p12 file. After you import that using the ASDM, authenticate the same trustpoint using the intermediate certs that you have. Or another way is to combine the p7 file into a single pkcs12 file using openssl and import it and be done with it once.

So important thing to note is that you can import the pkcs12 from the .p12 file directly from ASDM(not cli).

Hi Rahgovin,

Many thanks for your help, I did attempt to import the .p12 into the ASA using the ASDM but get the error message below

'ERROR: Import PKCS12 operation failed'

I'm browsing for the .p12 file, is there anything I should be doing differently?

Cheers Tony

It would be best to run a debug cry ca 255 on a console window when you try to import it and collect the debugs to see where its going wrong.

Also try adding the ca certificate into the p12 file using openssl and then importing again.

Is the p12 file already base64 encoded?You can try importing it through cli too. Please open the file in wordpad.  If it has normal

alphabetical/numerical characters is it in Base64 encoding.  If not then 
we need to convert it.  To convert to base64 we can use openssl.  Most 
Linux systems will have this installed by default, if you are in windows 
you will need to download the openssl compiled binaries.

To convert to base64 via openssl use the following command
   openssl base64 -in original.pkcs12 -out base64.pkcs12

This will convert to base64 without changing the password.

And then do a crypto ca import  pkcs12 passphrase

Hello again Rahgovin,

I'm remote from the ASA but will try to log the debug on the ASDM

Actually I do have the .p12 file as a base64, I managed to convert it to PEM format.

It shows 2 certificates.

The first starts with ---BEGIN RSA PRIVATE KEY--- and displays all the alpha/numeric characters you mention.

(are these the private keys?)

Then there is a section showing the subject, OU, CN stuff

Then there is another certificate which starts with ---BEGIN CERTIFICATE---

(I guess this is the actual certificate)

I'll try to get into the ASA CLI and enter it that way.

I'm guessing its the second certificate that I'll need to paste in

Thanks again for your input

Regards Tony

Hi tony,

You need to put in the enter file (base64) through the cli , including the key and certificate.

So when the console asks you to import the base64 pkcs12 file  put in the entire file starting from begin private key.

Hi Rahgovin,

I'm able to SSH now and use the CLI but after pasting in the entire text it still returns that operation failed error, I set up the debeg too but it doesn't show anything.

I'm thinking I'll have to ask the customer to use the ASA CSR procedure and get them to buy another cert.

I downloaded OpenSSL and have installed it but running it from a cmd prompt doesn't work, I can't find an application for it so I've hit a brick wall there

Thanks for your help though, its much appreciated

Regards Tony

Most Certificate vendors have an option to rekey the cert at no additional cost if the cert is to the same FQDN. So your customer most likely wont have to buy another one but rekey the same one by giving them a new CSR.

Hi Rahgovin,

Thanks for all your help, it turned out the ASA didn't like the .p12 format and so exporting them to the desktop in PKCS12 format did the trick

Also I was hitting the IP address and should have been going to the URL

It;s working now thanks again for all your help

Cheers Tony

Great.You imported them via cli or ASDM finally?

Hi - I used the ASDM in the end, just needed to get the format correct, .p12

didn't work, .PKCS12 did, the INternet is confusing as it repeatedly says these are the same

Thanks for your persistence

Tony

Hello Jennifer,

I have received a zip file from Go Daddy to renew the ASA SSL AnyConnect VPN Cert. The CSR was not generated on the ASA and I assume I will need to use OpenSSL to create a PKC12# cert for been able to export it to the ASA. As per the attached image, if I am correct, the zip file contains an intermediate gd_bunddle cert (gd_bundle-g2-g1.crt), an identity cert (800d398111c571fc.crt) and a pem file (800d398111c571fc.pem). both the pem and cert files have the same text contents and starts with the '-----BEGIN CERTIFICATE-----'. my question is, wouldn't be PrivateKey.key file be needed instead of the pem file? And how do both the pem and crt files have the same contents? Do I also need to convert the pkcs12 file to pfx to export it to the ASA? 

Any help would be much appreciated. Thank you

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: